Find notable cyber news and cases, enriched with sources, timelines, and signals.

Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 2 articles

Summary

Hide ▲

Water Saci is actively evolving a WhatsApp Web worm in Brazil that uses HTA and PDF lures to deliver a banking trojan. The latest wave shifts from PowerShell to a Python-based propagation script that spreads through trusted contacts on WhatsApp Web, helping the campaign bypass conventional controls and increase infection rates. Trend Micro says the chain may have been ported with help from an LLM/code-translation tool. The malware uses AutoIt, executed.dat, and command-and-control domains including manoelimoveiscaioba[.]com and serverseistemasatu[.]com to support persistence, reconnaissance, and remote control.

Related Happenings

WhatsApp VBScript attachment distribution campaign

Campaign
H score42 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...

WhatsApp VBScript infection chain installing ManageEngine RMM Central

Malware Activity
H score20 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...

WhatsApp VBScript phishing campaign targeting users in multiple countries

Campaign
H score43 First: 23.06.2026 01:42 Last: 23.06.2026 01:42 Sources 1

About this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...

NSO Group WhatsApp spear-phishing campaign

Campaign
H score37 First: 08.06.2026 20:08 Last: 08.06.2026 20:08 Sources 1

About this happening: **NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
H score20 First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Timeline

  1. 01.04.2026 15:36 2 articles · 3mo ago

    Augmented Marauder / Water Saci phishing campaign targets Latin America and Europe

    Campaign Scope Update

    Augmented Marauder / Water Saci are running a multi-pronged phishing campaign against Spanish-speaking users in organizations across Latin America and Europe, using email, WhatsApp, and ClickFix paths to deliver Casbaneiro (Metamorfo) through Horabot and to harvest Outlook contacts for further phishing.

    Show sources
  2. 01.04.2026 15:36 2 articles · 3mo ago

    Phishing chain uses PDF lure, HTA/VBS payloads, and AutoIt loaders

    Technical Analysis Update

    The delivery chain starts with court summons-themed phishing emails that push a password-protected PDF, a malicious link, and an automatic ZIP download before executing HTA and VBS payloads; the VBS stage performs anti-analysis checks, retrieves AutoIt-based loaders, and launches encrypted payloads that load staticdata.dll for Casbaneiro and at.dll for Horabot, including a remote PHP API at hxxps://tt.grupobedfs[.]com/.../gera_pdf.php for dynamic PDF generation.

    Show sources